From 9cbf866de7311bbc65e3107dea28dd50e543387c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 3 Apr 2021 09:36:47 +0200 Subject: [PATCH] bundles/mosquitto: introduce, add to node home.nas --- bundles/mosquitto/files/mosquitto.conf | 39 ++++++++++++++++++++++++++ bundles/mosquitto/items.py | 17 +++++++++++ bundles/mosquitto/metadata.py | 33 ++++++++++++++++++++++ nodes/home/nas.py | 39 ++++++++++++++++++++------ 4 files changed, 119 insertions(+), 9 deletions(-) create mode 100644 bundles/mosquitto/files/mosquitto.conf create mode 100644 bundles/mosquitto/items.py create mode 100644 bundles/mosquitto/metadata.py diff --git a/bundles/mosquitto/files/mosquitto.conf b/bundles/mosquitto/files/mosquitto.conf new file mode 100644 index 0000000..1b73129 --- /dev/null +++ b/bundles/mosquitto/files/mosquitto.conf @@ -0,0 +1,39 @@ +per_listener_settings true + +allow_zero_length_clientid true +autosave_interval 5 +autosave_on_changes true +log_dest syslog +log_timestamp false +persistence true +persistence_location /var/lib/mosquitto/ +pid_file /run/mosquitto/mosquitto.pid +set_tcp_nodelay ${str(node.metadata.get('mosquitto/tcp_nodelay', True)).lower()} + +% for port, config in sorted(node.metadata.get('mosquitto/listeners', {}).items()): +listener ${port} + max_connections ${config.get('max_connections', -1)} + protocol ${config.get('protocol', 'mqtt')} + allow_anonymous ${str(config.get('allow_anonymous', True)).lower()} + +% endfor + +% for bridge, config in sorted(node.metadata.get('mosquitto/bridges', {}).items()): +connection ${bridge} + address ${config['peer']} + bridge_attempt_unsubscribe true + cleansession ${str(config.get('cleansession', True)).lower()} + notifications true + notifications_local_only true + remote_clientid ${config.get('client_id', node.name)} +% if 'auth' in config: + remote_password ${config['auth']['password']} + remote_username ${config['auth']['username']} +% endif + start_type automatic +% for topic in config['topics']: + topic ${topic['pattern']} ${topic.get('direction', 'in')} ${topic.get('qos', 0)} /${topic.get('local_prefix', bridge)}/ ${topic.get('remote_prefix', '')} +% endfor + try_private ${str(config.get('try_private', True)).lower()} + +% endfor diff --git a/bundles/mosquitto/items.py b/bundles/mosquitto/items.py new file mode 100644 index 0000000..358e077 --- /dev/null +++ b/bundles/mosquitto/items.py @@ -0,0 +1,17 @@ +files = { + '/etc/mosquitto/mosquitto.conf': { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:mosquitto:restart', + }, + }, +} + +svc_systemd = { + 'mosquitto': { + 'needs': { + 'file:/etc/mosquitto/mosquitto.conf', + 'pkg_apt:mosquitto', + }, + }, +} diff --git a/bundles/mosquitto/metadata.py b/bundles/mosquitto/metadata.py new file mode 100644 index 0000000..cf36fda --- /dev/null +++ b/bundles/mosquitto/metadata.py @@ -0,0 +1,33 @@ +from bundlewrap.metadata import atomic + + +defaults = { + 'apt': { + 'packages': { + 'mosquitto': {}, + 'mosquitto-clients': {}, + }, + }, + 'mosquitto': { + 'listeners': { + '1883': {}, + }, + }, +} + + +@metadata_reactor.provides( + 'iptables/port_rules', +) +def iptables(metadata): + sources = metadata.get('mosquitto/restrict-to', {'*'}) + result = {} + + for listener in metadata.get('mosquitto/listeners').keys(): + result[listener] = atomic(sources) + + return { + 'iptables': { + 'port_rules': result, + }, + } diff --git a/nodes/home/nas.py b/nodes/home/nas.py index eba9f9f..9935504 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -4,6 +4,7 @@ nodes['home.nas'] = { 'hostname': '172.19.138.20', 'bundles': { 'backup-server', + 'mosquitto', 'netdata', 'nfs-server', 'smartd', @@ -50,13 +51,9 @@ nodes['home.nas'] = { 'nas': {}, }, 'iptables': { - 'custom_rules': [ - # Dell ULNM - 'iptables -A INPUT -p tcp --dport 4679 -j ACCEPT', - ], 'port_rules': { - '1883': { # mosquitto - '172.19.136.0/25', # wireguard clients, because remote access + '4679': { # Dell ULNM + '172.19.136.0/25', '172.19.138.0/24', }, '5060': { # yate SIP @@ -67,9 +64,6 @@ nodes['home.nas'] = { 'home.snom-wohnzimmer', 'home.bubble01', }, - '8083': { # mosquitto Websocket - '172.19.138.0/24', - }, # yate RTP uses some random UDP port. We cannot firewall # it, because for incoming calls the other side decides # which port to use. That's why we simply allow all UDP @@ -82,6 +76,33 @@ nodes['home.nas'] = { }, }, }, + 'mosquitto': { + 'bridges': { + 'c3voc': { + 'peer': 'mqtt.c3voc.de', + 'client_id': 'kunsi-home', + 'auth': { + 'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='), + 'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='), + }, + 'topics': [ + { + 'pattern': '#', + 'remote_prefix': '/voc/', + }, + ], + }, + }, + 'listeners': { + '8083': { + 'protocol': 'websockets', + }, + }, + 'restrict-to': { + '172.19.136.0/25', + '172.19.138.0/24', + }, + }, 'nfs-server': { 'shares': { '/storage/nas': {